CVE-2025-31266 is a domain name spoofing vulnerability affecting the Safari browser on Apple macOS platforms. The flaw stems from insufficient truncation and validation when rendering the fully qualified domain name (FQDN) in the title of pop-up windows. An attacker-controlled website can exploit this by crafting a pop-up window whose title displays a spoofed domain name, misleading users into believing the pop-up originates from a trusted source. This can facilitate phishing attacks or social engineering by exploiting user trust in browser UI elements. The vulnerability does not impact confidentiality or integrity directly but affects availability minimally by potentially disrupting user trust and workflow. It requires no privileges or authentication but does require user interaction to trigger the pop-up. Apple addressed this issue in Safari 18.5 and macOS Sequoia 15.5 by improving truncation logic to correctly display the actual domain name, preventing spoofing. The CVSS v3.1 base score is 4.3 (medium severity), reflecting network attack vector, low complexity, no privileges required, but user interaction needed, and limited impact on availability only. No known exploits have been reported in the wild as of now. The CWE classification is CWE-451 (Incorrect Expression of a Domain Name or URL). The vulnerability primarily affects macOS users running vulnerable Safari versions, emphasizing the need for timely updates.

For European organizations, this vulnerability primarily poses a risk to user trust and phishing resilience rather than direct system compromise. Attackers could use spoofed pop-up titles to impersonate legitimate services, tricking employees into divulging credentials or executing malicious actions. This can lead to credential theft, unauthorized access, or malware deployment if combined with other attack vectors. Sectors such as finance, government, healthcare, and critical infrastructure, which often rely on macOS devices and are frequent phishing targets, face elevated risks. The impact on confidentiality and integrity is indirect but significant due to potential social engineering exploitation. Availability impact is minimal but user productivity and security posture could degrade if users fall victim to spoofing. The medium CVSS score reflects this moderate risk. Organizations with large macOS user bases must consider this vulnerability in their threat models and user awareness programs.

European organizations should prioritize updating all macOS devices to at least macOS Sequoia 15.5 and Safari to version 18.5 or later to apply the official fix. In environments where immediate patching is challenging, organizations can implement browser usage policies restricting Safari versions or enforce alternative browsers not affected by this issue. User training should emphasize skepticism toward unexpected pop-ups and verification of domain authenticity beyond window titles. Deploying endpoint protection solutions with phishing detection capabilities can help identify and block malicious sites exploiting this spoofing. Network-level filtering to block known malicious domains and URLs can reduce exposure. Security teams should monitor for phishing campaigns leveraging spoofed pop-ups and incorporate this vulnerability into incident response playbooks. Regular audits of macOS device compliance and browser versions will ensure timely remediation. Additionally, organizations can consider deploying browser extensions or security tools that enhance domain visibility and authenticity indicators.